Cybercrime , Fraud Management & Cybercrime , Ransomware
Conti Gang Members Fretted Over Putin's Ukraine InvasionNewly Released Chat Note in Recent Leak Says Putin 'Out of His Mind'
One question that's been floating around is if Russia, already mired in a ground war in Ukraine, would use its offensive cyber capabilities against the West. And even, perhaps, nudge ransomware gangs into doing its bidding.
See Also: Benefits of Automated XDR Platforms
It appears two Russian members of one ransomware gang, Conti, were indeed concerned about the war and its potential to influence and disrupt their lucrative extortion racket.
On Thursday, a Wisconsin-based consultancy that analyzes cybercrime activity, Hold Security, released an excerpt of a private chat between two Russian Conti members. In the chat, the two express misgivings about the war in Ukraine due to its violence. One participant bad-mouths Russian President Vladimir Putin, saying he has lost his mind.
Conti is one of the most prolific ransomware gangs, and its victims have included Ireland's Health Service Executive and dozens of others. Like other ransomware gangs, it first extracts data from victims' systems. If a group doesn't pay for the decryption key, it seeks to squeeze a ransom by releasing sensitive data publicly, a tactic known as "double extortion."
The conversation between the Conti members took place just a day before a Ukrainian cybersecurity researcher who tweets under the handle @contileaks began releasing Conti's Jabber chat logs and reams of other data related to its inner workings. The conversation released by Hold Security is not in those logs.
The researcher dumped the data due to his anger and despair over Russia's invasion. It's believed that the data leak could mark the end of Conti, but the gang has bounced back before (see: Ukrainian Researcher Leaks Conti Ransomware Gang Data).
Putin: 'Out of His Mind'
The conversation was collected via a keylogger monitored by Hold Security that's on the computer of one of the gang members, who goes by the nickname Bio, says Alex Holden, CTO of Hold Security.
Holden says Bio negotiates with ransomware victims and has some technical duties, including penetration testing potential victims. Bio is chatting with Skippy, who is also a negotiator. The chat is in Russian, and here are translated excerpts:
Bio: You see what's going on there. I mean war.
Bio: Our guys are dying there. It's f****d up.
Skippy: I monitored the first day, then stopped.
Bio: Vlad [Putin] is out of his f*****g mind, that much is clear.
Skippy: People are dying on both sides.
Bio: I thought it would be different, but this is f****d up.
Skippy: How different? Things will change when the bonfires are lit in Red [Square] with the Kremlin as a headliner. But not like the war in 1994 (Editor's note: This is believed to be a Chechnya reference).
Skippy: I hope people realize that this is f****d up.
Bio: What the f**k does it matter if people understand?
Skippy: F**k! Maybe the Kremlin will finally burst into flames.
Then they chat about cash. Skippy says their holdings are in cryptocurrency and cash. They seem concerned over the impact of the war on their finances, but Skippy says "a dollar is a dollar," perhaps underscoring the stability of the U.S. dollar over the Russian ruble.
Conti: Mixed Feelings on Ukraine
After Russia invaded Ukraine on Feb. 24, Conti published a post entitled "Warning." It said it was "announcing a full support of Russian government." It also said if anyone mounted a cyberattack against Russia, it would strike back at "critical infrastructures" of the enemy.
It was a bold move for an already loathed gang, in an environment where governments such as the U.S. and Australia are taking offensive action against ransomware gangs. Conti deleted the post.
But the gang wrote a replacement post that reads in part: "We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well-being and safety of peaceful citizens will be at stake due to American cyber aggression."
Holden says the conversation is a sign that even Russian members of Conti are somewhat questioning Putin's actions in Ukraine.
"It does not humanize them [ransomware cybercriminals] more, but it shows that Conti is not uniformly supporting the Russian invasion," says Holden, whose family left Kiev after the Chernobyl nuclear disaster in 1986 and eventually settled in Milwaukee.
It's not uncommon for some Ukrainians to have become intertwined with ransomware, banking Trojans and cybercrime. In January, Ukrainian authorities carried out their seventh major cybercrime crackdown in a year, arresting five people suspected of carrying out ransomware attacks (see: Ukraine Police Bust Ransomware Suspects Tied to 50 Attacks).
Russian and Ukrainian cybercriminals sometimes collaborated, which means the tension over the war could create friction. It could also create trust issues, particularly with Ukraine-based cybercrime services that Russian cybercriminals might use, says Brett Callow, a threat intelligence analyst with Emsisoft.
"In more general terms, the war may actually have made things harder for Russian ransomware gangs," Callow says. "They’ll not necessarily know which of their affiliates they can trust, especially if they don’t know their geographic location, and will not want to be the next gang to suffer a leak."